Sunday, July 22, 2018

Adding the Backup Operators group to a Home edition

Home editions of Windows have fewer built-in groups than Pro editions. Some of those missing groups, however, still have their SID appear in various default ACLs and privilege lists. One such group is Backup Operators.

Creating a new group with the same name as a missing built-in group won't have any effect because the SID will be different. There is also no way to specify the SID of a new security principal... without editing the SAM database in the Registry. To access the SAM of a live system, we need to open the Registry Editor as the SYSTEM account. That can be accomplished with PsExec:

psexec -s -i regedit

Information on built-in groups is stored under this key:

HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Builtin\Aliases

It has one subkey for each group. The subkey names are the zero-padded eight-digit hexadecimal representation of the last fragment of the group's SID. The Backup Operators SID is S-1-5-32-551, so its subkey is 00000227. The Aliases subkey also has a Names subkey, which likewise has a subkey for each built-in group. This time, the subkey names are the group names. The default value of each name subkey is an empty binary value - what matters is the type code of the default value, which stores the last SID fragment.

Both keys are necessary for the group to work properly. They can be exported from a Windows installation that has a desired group and imported into one that doesn't. The group will appear after a reboot.

No comments:

Post a Comment